Ralph Shumaker wrote:
Tracy R Reed wrote:
Todd Walton wrote:
The Future of SELinux
http://securityblog.org/brindle/2006/08/24/the-future-of-selinux-or-how-we-are-going-to-take-over-the-world/
I agree with this 100%. We do need to get rid of the root user. RedHat
shouldn't even configure a root password. It should instead configure
a regular user password and give that user sudo. All of the new servers I
If you don't configure a root password, obviously that will prevent one
from logging in as root. But would it prevent one from "sudo su -"? I
mean, not configuring root's password wouldn't actually prevent root's
account from existing, would it?
Is there much of a difference between logging in as root and becoming
root via "sudo su -"? (I realize that the latter will be logged
somewhere showing who "became" root and that the former cannot show who
logged in as root.)
Quick answer:
1. not all users are permitted to use sudo
2. those who do can be restricted in various ways
3. every sudo command is logged, which IMHO is one of the biggest
benefits of using sudo. I want to be able to look up what I did!
There is bit of an interesting chicken-or-egg situation here.
With no root password, the _only_ way to execute with root's privileges
is via sudo. But a user can only perform sudo if there is an entry for
that user (or a group he is a member of) in the /etc/sudoers control
file. But only root can edit the sudoers file and/or add users to groups
-- see the dilemma?
Systems like ubuntu setup an admin group with an entry in the
standard-distribution sudoers file, and then on installation, ask for
and create a user account (which is made a member of the admin group). I
don't remember whether or not they come right out and say that that
first user is an admin during the install.
Ummm, the only _other way_ is via ssh using pki authentication.
Err..now of course, there's always booting into single user mode or
accessing the filesystem on the hd by booting a livecd, or plugging the
hd into another system, or..
Well, maybe someone else would like to add some _more only other_ ways.
Regards,
..jim
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
